DepScope
DepScope is a package intelligence MCP server providing 22 tools across 19 ecosystems, helping AI agents make safe, informed dependency decisions by preventing hallucinations, catching vulnerabilities, and stopping supply-chain attacks.
Security & Safety
Malware detection — Check packages against OpenSSF/OSV malicious package lists
Typosquat detection — Identify if a package name is a typosquat (e.g.
lodshvslodash)Vulnerability lookup — Retrieve CVEs/OSV advisories with CVSS scores and fix versions
Bulk pre-flight check — Batch validate multiple packages at once (existence, typosquats, malicious flags)
Package Intelligence
Full health report — Machine-readable JSON with score, vulnerabilities, maintainers, and recommendation
LLM-optimized brief — Plain-text summary with ~75% fewer tokens and a SAFE/AVOID/URGENT/MALICIOUS verdict
Health score — Quick 0–100 score for go/no-go decisions
Package existence check — Boolean guard against hallucinated package names
Latest version — Latest published version and deprecation status
Install commands — Canonical install commands across package managers
Vulnerability & Version Management
Pin safe version — Find the highest version below a chosen CVE severity tier within semver constraints
Breaking changes — List breaking changes between two major versions
Migration path — Prescriptive plan (with code diffs) for switching to a replacement package
Known bugs — Non-CVE bugs for a specific package version
Project & Stack Analysis
Scan project — Audit a full dependency list with per-package health and prioritized actions (REMOVE NOW / URGENT / REPLACE / REVIEW)
Compare packages — Side-by-side comparison of 2–10 packages (health, vulns, downloads, maintainers)
Check compatibility — Verify if a multi-package version combination works together
Find alternatives — Curated replacements for deprecated or unhealthy packages
Trust, Discovery & Support
Trust signals — Maintainer bus factor, OpenSSF Scorecard, quality metrics, and SLSA/Sigstore provenance
Resolve errors — Map error messages or stack traces to verified fixes
Trending packages — Live trending packages with rank-delta and weekly growth metrics
Submit tickets — Report bugs, security findings, anomalies, or partnership inquiries
Provides package intelligence for the CocoaPods ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the Composer ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the Homebrew ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the JSR (JavaScript Registry) ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the Julia ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the npm ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the NuGet ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the PyPI ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the RubyGems ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
Provides package intelligence for the Swift ecosystem, including vulnerability checks, health scores, alternatives, and lockfile ingestion.
DepScope
Package Intelligence for AI Agents. Stops AI coding agents (Claude, ChatGPT, Cursor, Windsurf, Copilot, Cline) from installing hallucinated, deprecated, or malicious packages across 19 ecosystems.
→ Live at depscope.dev · 8.4M+ packages · 42K+ vulnerabilities (99% EPSS-enriched) · zero auth · free
Quick start (MCP)
Claude Desktop / Cursor / Windsurf — remote
{
"mcpServers": {
"depscope": {
"url": "https://mcp.depscope.dev/mcp"
}
}
}Claude Code / local — stdio
{
"mcpServers": {
"depscope": {
"command": "npx",
"args": ["-y", "depscope-mcp"]
}
}
}The MCP server source is at cuttalo/depscope-mcp (AGPL-3.0).
What it does
22 MCP tools across 19 package ecosystems:
npm · pypi · cargo · go · composer · maven · nuget · rubygems · pub · hex · swift · cocoapods · cpan · hackage · cran · conda · homebrew · jsr · julia
Tool | Purpose |
| Full safety check: deprecation · vulnerabilities · health · recommendation |
| Malicious-package detector |
| Typosquat detection vs popular names |
| Hallucination detector (404 = LLM invented it) |
| 0–100 health score with breakdown |
| Vulnerabilities + severity scoring |
| Suggested alternatives for deprecated/abandoned packages |
| Major-version migration notes |
| Known issues for a package |
| Side-by-side comparison |
| Stack-level compatibility check |
| Error message → likely cause + fix |
| Verified install command for the target ecosystem |
| Latest stable version + maturity signal |
| Suggested safe version pin |
| Multi-signal trust score |
| Step-by-step upgrade plan |
| Bulk scan of dependency manifests |
| Fast pre-flight filter for batches |
| Trending packages by ecosystem |
| Compact LLM-friendly summary |
| Report a missing package or false positive |
REST API
Same data, plain HTTPS — no MCP client needed.
curl https://depscope.dev/api/check/npm/lodash
curl https://depscope.dev/api/check/pypi/requests
curl https://depscope.dev/api/check/cargo/serdeFull reference: depscope.dev/integrate
Why
LLMs frequently invent package names that look real but don't exist (fastapi-turbo, lodahs, tokio-stream-extras). When an agent tries to install one, it can hit an attacker's typosquat. DepScope verifies every package before install.
Read more: depscope.dev/why
Pricing
Free. No auth required. Generous rate limits.
If you need higher quotas, SLA, or on-prem deployment, contact us at depscope@cuttalo.com.
Open source vs proprietary
This repository is a landing page with documentation only.
MCP server (client SDK) — open source, AGPL-3.0: → cuttalo/depscope-mcp → npm: depscope-mcp
Backend (API + intelligence layer) — proprietary, hosted at
depscope.dev.
This split lets us keep the client free, auditable, and community-extensible while sustaining the infrastructure that powers it.
Links
Homepage · depscope.dev
API docs · depscope.dev/integrate
MCP server source · cuttalo/depscope-mcp
npm · depscope-mcp
Glama listing · glama.ai/mcp/servers/cuttalo/depscope
Awesome MCP · punkpeye/awesome-mcp-servers
License
This README and accompanying landing files: CC-BY-4.0. MCP client SDK: AGPL-3.0 (see cuttalo/depscope-mcp). Backend service: proprietary.
Built by Cuttalo srl · Italy 🇮🇹
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cuttalo/depscope'
If you have feedback or need assistance with the MCP directory API, please join our Discord server